How does Movere encrypt data?

Movere is built on Cloud Native principles and technologies that are constantly evolving to include both new features meant to enhance the user experience, and new security practices aimed at protecting against malicious attacks. Movere has recently achieved SOC 2 certification, which provides an extra set of controls. This, coupled with our adherence to Cloud Native Computing Foundation (CNCF) principles, places Movere security as a first-class citizen.

Data for Transmission

The Movere Console includes a PGP key that is unique to each customer. The key is 2048-bit long, and is used to encrypt in memory all data collected prior to its transmission either back to the Movere Console for uploading to the cloud or directly from the targeted endpoint to the cloud. This is referred to as the Public Key, and can only be used to encrypt data. To decrypt the data, the encrypted payload needs to be uploaded to the cloud where specialized APIs identify the user, match it to a customer, and retrieve the corresponding private PGP key from a repository that stores it encrypted, as well. All PGP Private Keys are managed by Movere.

The user that is uploading data using the Movere Console needs to have the correct access level (Write claim), and is required to authenticate using the Movere Console. Once the user authenticates, they are issued a long-lived token (token.txt). The token is valid for 90 days and is used for every upload that the Movere Console is responsible for, be it inventory or ARC data.

Data at Rest

Once customer data reaches Movere’s cloud servers, it is decrypted and stored in memory before being saved to a series of databases (depending of the data type). Wherever available, data stored in databases such as SQL Azure and Azure Data Warehouse is encrypted using native technologies like Transparent Data Encryption (TDE). For data stored in document databases such as Cosmos DB, data is encrypted, both at rest and in transit, using native technologies available in Azure. All connections between APIs and data stores are encrypted and secured as well. The only exceptions are data stores where either the data that is stored is ephemeral (e.g. cached or used for live processing), or it does not contain user data.

Data for Presentation

To render data via the browser, Movere uses Qlik Sense, a fast and powerful BI tool enabling users to navigate data using rich visualizations and to leverage large volumes of data without compromising load time. Qlik uses proprietary in-memory technology, so no data is saved on disk while being visualized in the browser. In addition, the connection between Movere’s web servers and the user’s browser is encrypted using TLS 1.2.

IMPORTANT: The token is NOT used to encrypt or decrypt data, nor can it be used to access the Movere website. The sole purpose of this token file is to allow uploads of already encrypted data to the cloud, and to identify the user that is performing the upload. After 90 days, the token becomes invalid, and the user needs to authenticate once again via the Movere Console. The entire upload process via the Movere Console is performed over a secure connection (HTTPS) via TLS 1.2. This is in addition to the encryption at rest of each file using PGP keys.